Runs a Veracode Static Analysis scan and outputs any flaws found as a JSON file. This command returns exit code 3 if any flaws are found matching the specified criteria.
veracode static scan <file_path> [flags]
|Location of the package file that contains your application source code. Ensure the file meets the packaging requirements.
|Application profile ID for the application you want to upload and scan.
|Location of a JSON file with results from a previous scan. To create a baseline file, include
--results-file. The new results only include flaws not listed in the baseline file.
|Comma-separated list of CWE IDs. The scan results only include flaws of the specified CWEs.
|Comma-separated list of severities. The results only include flaws of the specified severities. By default, all severities are included. Values are
true to create GitLab issues from discovered flaws. Default is
false. Before you can use this flag, you must configure GitLab.
true to create a JSON file from the scan results. GitLab automatically imports the flaws from the JSON file as vulnerabilities. Default is
false. To use this parameter, you must define the paths and reports settings in the GitLab CI.
|Enter a case-sensitive, comma-separated list of name patterns that represent the names of the modules to scan as top-level modules. Veracode identifies these modules during prescan. The
* wildcard matches zero or more characters. The
? wildcard matches exactly one character. For example, to include various module names that contain
--include "module 1, module-*, module2.jar"
The scan results show the names of the modules that Veracode identified and the modules included in the scan. This parameter does not pause, stop, or impact the performance of your pipeline.
|Name of a local policy file you want to apply to the scan results. To download a policy, use the
|Name of the CI/CD repository running a scan. This parameter adds the repository name to the scan results, which can help track scans across repositories.
|Source control reference, revision, or branch of the CI/CD repository running a scan.
|URL of the CI/CD repository running a scan.
|Filename or location to save the scan results as a JSON file. By default, the results are saved to
|Filename or location to save the scan results as a human-readable file. This file is not saved by default.
To scan a Java JAR file and output flaws to
veracode static scan my_java_application/build/project.jar
To scan a Python ZIP file and filter the results by severity and CWE ID, run:
veracode static scan my-python-project.zip --fail-on-cwe "89,117" --fail-on-severity "Very High, High"
To scan a Java class file but only include results not included in a baseline file, run:
veracode static scan my_java_application/build/IgnoreCommand.class --baseline-file "baseline-results.json"
To create a baseline file and use it in a subsequent scan, run:
veracode static scan example.jar --results-file "baseline.json"
veracode static scan example.jar --baseline-file "baseline.json"
To scan a Python ZIP file and apply policy Veracode Recommended High, run:
veracode static scan my-python-project.zip --policy-file "Veracode Recommended High.json"